Address Resolution (AR) does not scale very well in very large layer-2 domains, such as massive datacenters, and is very much prone to Denial of Service (DoS) attacks (such as prefix scanning). Basically, when the last router finds that the destination is “on-link”, and it has no adjacency (no physical address) for it, the router builds and broadcasts (Address Resolution Protocol, “ARP” in (Internet Protocol version 4, “IPv4”) or multicasts (Neighbor Discovery (ND)/Neighbor Solicitation (NS) in IPv6) a resolution packet. This packet is transmitted by all switches of the layer-2 domain, and spread to every node. Only one at most responds: the one that owns the destination (target). When multiplied by a very large number, the AR operations represent a significant overhead for the router, the switches, the links (especially the wireless), and the hosts themselves.
In addition, a classical attack is a malicious remote user scanning a prefix by sending a lot of packets to all possible (most if not all invalid) destinations, within that prefix, at a high rate. The last router (owning that prefix) attempts to resolve each destination, and consumes resources up the point where it is no longer able to resolve valid destinations.